♪ preroll music ♪
Angel: The next talk will start now
and will be 'Unpatchable -
living with a vulnerable
implanted device'
by Dr. Marie Moe and Eireann Leverett.
Give them a warm round
of applause please.
applause
heart monitor beep sounds start
So, we are here today
to talk to you about a subject
that is really close to my heart.
I have a medical implant.
A pacemaker, that is generating
every single beat of my heart.
But how can I trust my own heart,
when it's being controlled by a machine,
running a proprietary code,
and there is no transparency?
So I'm a patient,
but I'm also a security researcher.
I'm a hacker, because I like
to figure out how things work.
That's why I started a project
on breaking my own heart,
together with Eireann
and a couple of friends.
Because I really want to know
what protocols are running
in this machine inside my body.
Is the crypto correctly implemented?
Does it even have crypto?
So I'm here to inspire you today.
I want more people
to hack to save lives.
Because we are all becoming
more and more dependent on machines.
Maybe some of you in the audience
also have medical implants,
maybe you know someone
that's also depending on
medical implants
Imagine that this is your heartbeat
and it's being controlled by a device.
A device, that might fail.
Due to software bugs,
due to hardware failures.
additional background sound:
real heartbeat
Wouldn't you also like to know
if it has security vulnerabilities?
If it can be trusted?
sounds stop
beeeeep
E: Something to think about, right?
M: Yeah.
E: Marie is an incredibly
brave women.
When she asked me to give this talk
it made me nervous, right?
It's such a personal story.
Such a journey as well.
And she's gonna talk to you
about a lot of things, right?
Not just hacking medical devices
from a safety point of view
but also some of the
privacy concerns,
some of the transparency concerns,
some of the consent concerns.
So, there's a lot to get trough
in the next hour.
But I think you're gonna enjoy it
quite a lot.
M: So, let me tell you
the story about my heart.
So, 4 years ago
I got my medical implant.
It was a kind of emergency situation
because my heart was starting to beat
really slow,
so i needed to have the pacemaker.
I had no choice.
After I got the implant,
since I was a security researcher,
of course I started to
look up information about how it worked.
And I googled for information.
I found a technical manual
of my pacemaker
and I started to read it.
And i was quite surprised
when I learned that
my pacemaker has 2 wireless interfaces.
There is one interface, that is really
close field communication,
near field communication
that is being used when I'm at checkups
at the hospital,
where the technician,
the pacemaker technician or doctor
uses a programming device
and places it
really close to my pacemaker.
And it's possible to use that
communication to adjust the settings.
But it also has another
wireless interface,
that I was not aware of,
that I was not informed of
as a patient.
It has a possibility for remote monitoring
or telemetry,
where you can have an
access point in your house
that will communicate
with the pacemaker
at a couple of meters distance.
And it can collect logs from the pacemaker
and send them to a server
at the vendor.
And there is a web interface
where the doctor can log in
and retrieve my information.
And I have no access the data
that is being collected
by my device.
E: So imagine for a moment
that you are buying a new phone
or buying a new laptop.
You would do your homework, right?
You would understand
what interfaces where there.
But in Marie's case she's just
given a device,
and then later she gets
to go and read the manual, right?
So she's the epitome
of a informed consumer
in this space
and we want a lot more
informed consumers
in this space,
which is why we are giving this talk.
Now, I don't know about you,
but I'm used to hacking
industrial systems.
I haven't done as
much medical research
in the past.
So, when I first
started this project
I knew literally nothing
about Marie's heart.
Or even my own.
And she had to teach me
how the heart works
and how her pacemaker works.
So, would you mind explaining
some details to the audience
that will be relevant
through the rest of the presentation?
M: Actually I think
we're going to show you
a video of
how the heart works.
So, it's a little bit of
biology introduction here
before we start
with the technical details.
So, this.. play the video.
Video: A normal heart beat rate
and rhythm is called
'Normal Sinus Rhythm'.
The heart's pumping action
is driven by electrical stimulation
within the heart muscle.
the heart's electrical system
allows it to beat in an
organized, synchronized pattern.
Every normal heart beat
has 4 steps.
Step 1:
As blood flows into the heart
an electrical impulse
from an upper area of the right atrium
also known as the sinus node
causes the atria to contract.
When the atria contract
they squeeze the blood
into the ventricles.
Step 3:
There is a very short pause
only about a fraction of a second.
and Step 4:
The ventricles contract
pumping the blood to the body.
A heart normally beats
between 60-100 times/min.
Electrical signals in your heart
can become blocked or irregular,
causing a disruption
in your hearts normal rhythm.
When the heart's rhythm is too fast,
too slow or out of order,
an arrhythmia,
also called a rhythm disorder occurs.
When your heart beats out of rhythm,
it may not deliver enough blood
to your body.
Rhythm disorders can be caused
by a number of factors
including disease, heredity,
medications or other factors.
E: So for those of you
who are already aware of that,
apologies.
But I needed to learn that.
I needed to learn the basics
before we even got started, right?
So...
M: So this is a diagram of the
electrical system of the heart.
So, as you see,
this is the sinus node
that is generating the pulse.
And in my case
I had a problem with the signal
being generated by the sinus node
not reaching the lower
heart chamber.
It's something called an AV block
or a heart block
So, occasionally this will cause
an arrhythmia that makes
the heart pause.
If you don't have a heart beat
for, like ... 8-10 seconds,
you lose your consciousness.
And that was, what happened to me.
I just suddenly found myself
lying on the floor
and I didn't remember how I got there.
And it turned out that it was my heart
that had taken a break.
So that's how I discovered
that I had this issue.
So, this is where the signal is blocked
on the way down to the lower heart chamber
But there's a backup function
in the heart that can make
a so called backup pulse.
And I had that backup pulse
when I went to the
emergency room.
So I had a pulse
around 30-40 beats/min.
And that's generated by some cells
in the lower heart chamber.
So, after I got the pacemaker
my heart started to become
a little bit more lazy.
So it is not certain,
that I will have this backup pulse
anymore if the pacemaker
stops working.
So currently
my heart is 100% running
on the pacemaker.
So, let's also look at
how the pacemaker works.
I have another video of that.
So, this is my little friend
that is running my heart.
Video: A pacemaker
is a miniaturized computer
that is used to treat
a slow heart beat.
It is about the size
of a couple of stacked silver dollars
and weights approximately 17-25 grams.
It is usually surgically placed
or implanted just under the skin
in the chest area.
The device sends
a tiny electrical pulse
down a thin coated wire,
called a lead, into your heart.
This stimulates the heart to beat.
This impulses are very tiny
and most people
do not feel them.
While the device
helps your heart
maintain its rhythm,
it also stores information
about your heart that can be
retrieved by your doctor
to program the device.
E: Remember that!
M: Yeah... Did you see
the ones and zeros at the end
of the video?
That's what we want
to know more about.
Because this information
that is being collected
by the pacemaker,
how it works,
how the code looks like,
it's all closed source,
it's all proprietary information.
And that's why we need more
security researchers,
we need more 3rd party testing,
to be sure that we can trust this code.
E: And you can imagine that
we're doing some of
this research as well.
But I'm not gonna break
Marie's heart on stage,
I'm not gonna drop 0-day
on some medical devices,
so if you came for that,
it's not worth staying.
The rest of the presentation
will be about some of
the things we found
and how this works and
how you might approach this research.
And some of the people
who did this research before,
because there's plenty of others,
and we like to give a shout-out
to those who've done
great research in advance.
But essentially this point is
very relevant.
That the internet
of medical things
is already here.
And Marie is wired into it.
She's a bit younger than the average
pacemaker patient, but, you know,
she was thrust into this situation
where she had to think about things
in a very different way.
Like, you did a Masters,
breaking crypto,
and also a PHD in Information Security.
Did you imagine, that
things you learned
about SSH and
network security
might one day apply to your
heart and your own body?
M: No, I never
figured out that
my research would eventually
end up inside my own body.
That's something I never
thought about.
And also, there's a lot of
people that don't think about
how the medical devices
actually work.
So, when I asked this question
to health care professionals
they look at me like I'm crazy,
they don't ... they have never
thought about this before.
That there's actually code
inside my body
and someone has
programmed it,
someone has
written this code.
And, did they think
about, that this
would actually control
someone's life,
and be my own personal
critical infrastructure?
E: Yeah, personal
infrastructure, right?
On a physical level.
And also, I think, it's...
You know, the point that you made
is important to reiterate,
that you go and see your doctor
and you ask these questions about
whether anyone can hack into my heart
and they probably look
at you and go like
'Don't you worry your pretty
little head about that', right?
But Marie used to head up
the Norwegian computer
emergency response team
for a couple of years
and knows a lot of hackers
and knows what she's
talking about, right?
So, when she asked her doctor
these questions,
they're very legitimate questions.
And the doctors probably
don't know anything about code,
but they need to move
towards a place
where they can answer
those questions with some
honesty and certainty and
treat them with the dignity
that they deserve.
Should we show them
a little bit more
about the total ecosystem
of devices
that we are talking about,
at least in this particular talk?
M: Yeah.
E: So, this was
all new to me.
I mean I've moved around
in networks and done some
penetration testing and
some stuff in the past,
but I didn't know much about
implantable medical devices.
So, we've got a couple
of them there.
The ICD, which is the
in-cardio-defibrillator,
that's some of the work
that you saw from Barnaby Jack
which we will mention later,
was on those particular devices,
We've got the pacemakers
and of course other devices
could be in this diagram as well.
Like, we could be talking
about insulin pumps
or other things in the future.
The device itself speaks
to box number 2,
which we will tell you a little bit
more about in a moment,
using a protocol, commonly
referred to as 'MICS'.
A number of different
devices use this
Medical Implant
Communication Service.
And Marie shocked me yesterday
when she found
a couple devices
that potentially use Bluetooth. sighing
laughter
So, would you like to tell them
a little bit more about the access point,
and I'll join in?
M: Yeah, so, the access
point is the device
that you can typically have
on your bed stand
and that will, depending
on your configuration,
contact your pacemaker
as regular intervals,
e.g. once during the night.
It will start a communication
with the pacemaker,
couple of meters distance,
and will start
collecting logs.
And this logs will
then be sent,
it can be via SMS
or other means,
to a server.
So, there's a lot of my
personal information
that can end up different
places in this diagram.
So, of course it's
in my own device,
it will be then communicated
via this access point
and also then
via the cellular network.
And then it will also be stored
in the telemetry server.
Potentially when I go
for the checkups
my personal information will
also end up in my
doctor workstation
or in the electronic
patient records.
And there's a lot of things
that can go wrong there.
E: Yeah, you
can see, it's using
famously secure methods
of communication
that have never been backdoored or
compromised by anyone ever before,
even here at this conference,
probably even this time around.
So these are some things
that are concerning.
The data also travels often
to other countries
and so there are questions
about the jurisdiction
in terms of privacy laws
in terms of some of this data.
And some of you can go and
look deeper into that as well.
The telemetry store thing
I think is important,
some of this is a telemetry store,
such as the server at the vendor.
So the vendor owns some
machines somewhere
that collect data
from Marie's heart.
So you can imagine she goes to see her
doctor and the doctor is like:
'Hey, Marie, last weekend, did you, ...
run a half marathon or something?'
And she hasn't told him, right?
Like, he just can look
at the data and see,
that her heart rate was up
for a couple hours.
That's true though, right? You
did actually run a half marathon.
M: Yeah, I did run a half marathon.
laughing
E: So, the telemetry
store is one part,
but there's also the
doctors work station
which contains a lot of
this medical data.
So, from privacy perspective
that's part of the attack surface.
But there's also the programmers, right?
There's the device's programmers.
So that's an interesting point, that
I hope a lot of you are interested in
already, that there
is a programmer
for these devices.
M: So, we actually
went shopping on eBay
and we found some
of these devices.
E: You can buy them on eBay?
M: Yeah.
E: laughing
M: So, I found
a programmer
that can program
my device, on eBay
and I bought it.
And I also found a couple of
these access points.
So, that's what we're
now starting to look at.
E: We just wanna to give
you an overview of this system,
and it's fairly similar across the
different device vendors,
and we're not going to talk
about individual vendors.
But if you're gonna go and
do this kind of research
you can see that some of the research
you've already done in the past
applies to different parts
of this process.
M: And talking about
patient privacy,
when we got the
programmer from ebay
it actually contained
patient information.
So, that's the
really bad thing.
E: So, I found
this very odd.
I had a similar reaction
to yourselves because
I usually do industrial
system stuff.
One of my friends picked up
some PLCs recently and
they had data from the nuclear plant,
that the PLCs had been used in.
So, decommissioning is a problem
in industrial systems
but it turns out also
in medical devices, right?
I guess that's a useful point
to make as well,
about the costs of doing
this kind of research.
It is possible to get some
devices, some implants
from people who have sadly
passed on,
but that comes with a very high
cost of biomedical decontamination.
So that raises the cost
of doing this research
on the implants themselves,
not necessarily on the rest
of the devices.
M: Yeah, so, also want
to say, that in this research
I had not have not tinkered
with my own device.
So, that would not be a good thing ...
E: You're not gonna let me,
like, SSH into your heart and just ...
M: Um.. No.
E: ... just delete some stuff.. No?
M: No.
E: I wouldn't do it anyway,
but it's an interesting point, right?
So, like, there are a lot of
safety percussions
that we and the rest
of the team have to take
when we are doing this research.
And one of them is
not pairing Marie's pacemaker
with any of the devices
that are under test.
Do you wanna say a bit more
about connectivity and vulnerability?
M: Yeah, so...
I was worried
when I discovered that
I had this possible connectivity
to the medical internet of things.
In my case this is switched off
in the configurations
but it's there.
It's possible to turn it on,
it's possible for me to be
hooked up to the,
this internet of medical things.
And for some patients
this is really benefit.
So you always have to make
a risk-based decision
on whether or not to
make use of this
connectivity.
But I think it's really important
that you make an informed decision
about that and that the patient
is informed and has given
his or her consent
to have this feature.
The battery lifetime of my pacemaker
is around 10 years.
So in 6 years time
I will have to have a
replacement surgery
and I'm going to be
a really difficult patient laughing
laughter
So, ...
applause
E: Right on.
M: I really want to know
how the devices work
by then and
I want to make an informed
decision on whether or not
to have this connectivity.
But of course for lot of patients
the benefit of having this
outweighs the risk.
Because people that had other
heart problems than me
they have to go for more
frequent checkups.
I only have to go once a year.
So, for patients that need to go
frequently for checkups,
it's really good for them
to have the possibility
of having telemetry and
having connectivity to
have remote patient monitoring.
E: Yeah, imagine you
have mobility problems or
you even just live far
from a major city.
And making the journey
to the hospital is quite arduous,
then this kind of remote
telemetry allows your doctor
to keep track of
what's going on.
And that's very important,
we don't wanna, like...
have a big scary testosterone
filled talk where we, like,
hack some pacemakers.
We wanna talk about
how there's a dual use thing
going on here.
And that there is a lot of value
in having this devices
but we also want them to be safe
and secure and preserve our privacy
and a lot of other things.
So, these are some
of the issues.
Of course the last one,
the remote assassination scenario,
that' s everyone favorite one
to fantasize about
or talk about, or make
movies about, but
we think there's a lot of
other issues in here
that are more interesting,
some quality issues even, right,
that we'll talk about
in a little bit.
Battery exhaustion,
again something many people
don't think about. But...
I'm very interested in
cyber-physical exploitation
and so some of this elements
were interesting to me
that you might use the device
in a way that wasn't expected.
M: So personally I'm not afraid
of being remotely assassinated.
E: I've actually never known
you to be afraid of anything
M: laughing
I'm more worried about
software bugs in my device,
the things that can malfunction,
E: Is that just theoretical?
M: No, actually software bugs
have killed people.
So, think about that!
People that are not here,
they don't have their voice
and they can't really
give there story.
But there are stories about persons
depending on medical devices
dying because their
device malfunctioned.
E: There's even some
great research
from academics about
how the user interface design
of medical devices can have
an impact on patients safety
and how designing UX
much more clearly
and concisely
specifically for the
medical profession
might improve
the care of patients.
Do you wanna say more
about this slide or should we
go on to the previous work,
should we... go ahead!
M: Yeah, I think it's really
important also to...
the issue of trusting the vendors.
So, as a patient I'm
expected to just, you know,
trust, that my device
is working correctly,
every security vulnerability
has been corrected by the vendor
and it's safe.
But I want to have more
third party testing,
I want to have more security
research on medical implants.
And as a lot things, like ...
history has shown
we can't always trust that
the vendors do the right thing.
E: I think this is a good
opportunity for us to ask
a very fun question, which is:
Any fans of DMCA in the room?
laughter
No? No fans? Alright.
Well, you then you'll really enjoy this.
Marie has some very exciting news
about DMCA exemptions.
M: Yeah, so... October, this year
there was a ruling of
an DMCA exemption for
security research
on medical devices
also for automotive security research.
So, this means, that
as researchers you can
actually do reverse engineering
of medical implants
without infringing copyright laws.
It will take effect
I think October next year.
E: Yeah.
M: That is really a big
step forward in my opinion.
And I hope that this will
encourage more research.
And I also want to mention
that there are
fellow activist patients
like myself
that was behind that proposal
of having this exemptions.
So, Jay Radcliff who hacked
his own insulin pump,
Karen Sandler, who is a free and
open software advocat.
And Hugo Campos, who has
an ICD implant, he is very ...
he wants to have access
to his own data
for quantified self reasons.
So this patients,
they actually
made this happen,
that you're allowed to do
security research
on medical devices.
I think that's really great.
applause
E: Do you wanna say something
about Scott Erven's presentation
that you saw at DEF CON?
M: Yeah, that was a really
interesting presentation about
how medical devices have
really poor security.
And they have, like,
hard coded credentials,
and you can find them
using Shodan on the internet.
This were not pacemakers,
but other types of
different medical devices.
There are, like, hospital networks
that are completely open
and you can access
the medical equipment
using default passwords that
you can find in the manuals.
And the vendors claim that
no, these are not hard coded,
these are default,
but then the manuals say:
Do not change this password...
E: Because they want to
integrate with other stuff, right? So...
I've heard that excuse from SCADA,
so I wasn't having it.
M: They also put up some
medical device honeypots
to see if there were
targeted hacking attempts
but they only picked up regular malware
on them, which is also ...
E: Only!
M: ... of course of a concern laughing
E: Anything else,
about prior art, Kevin?
M: I guess we should mention
that the academic research
on hacking pacemakers,
which was started by
a group led by Kevin Fu
and they had this
first paper in 2008
that they also followed up
with more academic research
and they showed that it's
possible to hack a pacemaker.
They showed that...
this was possible on a, like
a couple of centimeters
distance only,
so, like, the attack scenario
would be, if you have a
device similar to the
programmers device
and you attack me with it
you can laughing
turn off my pacemaker.
That's not really scary,
but then we have the research
by Barnaby Jack
where this range of the attack
is extended to several meters
so you have someone with
an antenna in a room
scanning for pacemakers
and starting to program them.
E: We have a saying
at Cambridge about that.
Some of the other people at the
university have been doing attacks
a lot longer than I have, and
one of the things they say is:
'Attacks only get worse,
they never get better.'
So, the range might be short one year,
then a couple of years later it's worse.
M: The worst case scenario
I think would be remotely,
via the internet being able to
hack pacemakers.
but there's no research so far
indicating that that's possible.
E: And we don't wanna
hype that up. We don't wanna...
M: No.
E: ... get that kind of an angle
on this talk. We wanna make the
point that hacking can save lives,
that hackers are global citizen's
resource to save lives, right? So...
M: Yeah, so, this is the result
of hacking of the drug infusion pumps.
Earlier this year
the FDA actually issued the first ever
recall of a medical device
based on cyber security concerns.
E: I think that's amazing, right?
They've recalled products
because of cyber security concerns. They
used to have to wait until someone died.
In fact, they had to show
something like 500 deaths
before you could recall a product.
So now they can ...
the FDA, at least in the US,
they can recall products
just based on security
considerations.
M: So, this is also,
I guess the first example
of that type of pro-active
security research,
where you can
make a proof of concept
without killing any patients
and then that closes
the security holes.
And that potentially
saves lives.
And no one has been hurt
in the research.
I think that's great.
E: I'm also really excited
because we give a lot of presentations
about security that are filled with
doom and gloom and depression,
so it's nice to have two major victories
in medical device research
in the last few years.
One being the DMCA exemptions
and the other being
actual product recalls.
M: Yeah, and the FDA are starting
to take these issues seriously and
they are really focusing on the cyber
security of medical implants now.
I'm going to go to a workshop
arranged by the FDA in January
and participate on a panel discussing
cyber security of medical implants.
And it's great to have this
type of interaction between
the security committee, medical
device vendors and the regulators.
So, things are happening.
E: Yeah. How do you feel
as an audience,
are you glad that she's going to be
your representative in Washington
for some of these issues?
applause
And we want you to get
involved as well, right?
This is not just about Marie
and myself and the other people
who worked on this
project, it's meant say
you too can do this research.
And you should be.
You have to be a little sensitive,
a little bit precise and articulate
about concerns.
We take some inspiration from the
former research around hygiene.
Imagine the first time some scientist
went to some other scientist and said
'There is this invisible stuff,
and it's on your hands,
and if you don't wash your hands
people get infections!'
And everyone thought
they were crazy.
Well, it's kind of the same with us
talking about industrial systems
or talking about medical devices
or talking about hacking in general.
People just didn't, sort of,
believe it was possible at first.
And so we have to articulate ourselves
very, very carefully.
So, we draw inspiration from
that early hygiene movement
where they had a couple simple rules
that started to save people's lives
while they explained germ theory
to the masses.
M: Yeah, so, this type of research
is kind of low hanging fruits
where you just, so...
what we show here is an example,
where there's a lot of medical
device networks in hospitals
that are open to the internet
and that can get infected
by normal type of malware,
like banking trojans or whatever.
And this is potentially a safety issue.
So, if your MR scanner or some other
more life-critical device
is being unavailable because of
a virus on it,
that's a real concern for patient
security and safety.
So we need to think more about
the hygiene also in terms of
computer viruses, not only
just normal viruses.
E: Yeah. So, you know, some
times people will treat you like
this is an entirely theoretical
concern, but
I think this is one of the best
illustrations that we've found
of how that should
be a concern,
and I think all of you will get it,
but I wanna give you a moment to kind of
read what's about to come up on the slides.
So I'll just let you enjoy
that for a moment.
So if it's not clear or it's not your
first language or something,
this guy basically sharded patient data
across a bunch of amazon clusters.
And then it was unavailable.
And they were very concerned
about the unavailability of their
costumer patient data
sharded across amazon instances.
He was complaining to support, like
'Can I get support to fix this?' laughing
M: So, all the data of the ...
... the monitoring data of the cardiac
patients is unavailable to them
because of the service
being downed.
And, well, do you want to outsource your
patient's safety to the cloud? Really?
I don't want that.
Okay.
E: I wanna get into some other details.
We have sort of 10 min left if we can ...
so we can have a lot of questions,
and I'm sure there will be some.
But I want you to talk to them about
this very personal story.
This is... Remember before, when we
said, is this stuff theoretical?
I want you to pay a lot of
attention to this story.
It really moved me
when she first told me.
M: I know how it feels to have
my body controlled by a device
that is not working correctly.
So, I think it was around 2 or 3
weeks after I had the surgery.
I felt fine.
But I hadn't really done
any exercise yet.
The surgery was pretty easy,
I only had 2 weeks sick leave
and then I came back to work
and I went to London
to participate in a course
in ethical hacking and
I did take the London Underground
together with some of my colleges
and we went of at this station
at Covent Garden
And I don't know if you
have been there but
that particular station is
really low underground.
They have elevators that you
can use to get up,
but usually there are, like,
long queues to the elevators...
E: You always have to do
things the hard way, right?
M: You had to take the stairs, or
they were just heading for the stairs
and I was following them and
we were starting to climb the stairs and
I didn't read this warning sign, which is:
'Those with luggage, pushchairs & heart
conditions, please use the lift' laughing
Because I was feeling fine,
and this was the first time that I
figured out there's something wrong
with my pacemaker or with my heart.
Because I came like
half way up this stairs
and I felt like I was going to die.
It was a really horrible feeling.
I didn't have any more breath left,
I felt like I wasn't able
to complete the stairs.
I didn't know what was
happening to me, but
somehow I managed to
drag myself up the stairs
and my heart was really...
it didn't feel right.
So, first thing when I came
back from this course
I went to my doctor
and we started to try
debug me, tried to find out
what was wrong with my pacemaker.
And this is how that looks like.
E: laughing
M: So, there's a stack
of different programmers
- this is not me by the way, but it's
a very similar situation.
E: And we'll come back to those
programmers in a moment.
M: Yeah.
E: But the bit I want you
to focus on is, like, they're
debugging your pacemaker?
Inside you?
M: Yeah, I didn't know
what was happening
at the time.
We were just trying to
get the settings right
and it took like 2 or 3 months before
we figured out what was wrong.
And what happened was, that my
operate limit was set to low for me,
for my age. So, the normal pacemaker
patient is maybe around 80 years old
and the default operate
limit was 160 beats/min.
And that's pretty low for
a young person.
E: So, imagine, like, you're younger
and you're really fit and you know
how to do something really well,
like swimming or skiing or skateboarding
or whatever. You're fantastic at it.
And then a couple years go past
and you know, you gain some weight
and you're not as good at it, right?
But now imagine that
happens in 3 seconds.
While you're walking
up a set of stairs.
M: So, what happens is that
the pacemaker detects
'Oh, you have a really high pulse'.
And there's a safety mechanism
that will cut your pulse in half ...
E: In half!
laughter
M: laughing So in my case it went
from 160 beats/min to 80 beats/min.
In a second, or less than a second,
and that felt really, really horrible.
And it took a long time
to figure out what was wrong.
It wasn't until they put me on
an exercise bike and
had me on monitoring that they
figured out what was wrong, because
the thing was, that what was displayed
on the pacemaker technician's view
was not the same settings that
my pacemaker actually had.
There was a software bug in the
programmer, that caused this problem.
E: So they thought they had updated
her settings to be that of a young person.
They were like
'Oh, we've already changed it'.
But they lost the view. They couldn't
see the actual state of the pacemaker.
And the only way to figure that out
was to put her on a bike
and let her cycle until her
heart rate was high enough.
You know, literally physically
debugging her to figure out
what was wrong.
Now stop and think about whether or not
you would trust your doctor
to debug software.
laughter
So, say a little bit more about those
programmers and then we'll move on
towards the future.
M: Yeah, so, we got hold of one of these
programmers, as mentioned
and looked inside it.
And, well, we named this talk
'Unpatchable', because
originally my hypothesis was that,
if you find a bug in a pacemaker
it will be hard to patch it.
Maybe it would require surgery.
But then when we looked
inside the programmer
and we saw that it contained firmware
for pacemakers we realized that
it's possible to actually patch the
pacemaker via this programmer.
E: One of the other researchers
finds these firmware blobs inside
the programmer code and, like,
my heart stopped at that point, right?
I was just going 'Really, you can just
update the code on someones pacemaker?'
We also wanna say something
about standardization.
Look at all those
different programmers.
Someone goes into a hospital
with one of these devices
they have may different programmers
so they have to make an estimation
of which... you know, which
programmer for which device.
Like, which one are you running.
And, so, some standardization
would be an option laughing
perhaps, in this case.
M: Yeah.
E: Alright. So, we gonna need
to move quickly through
the next few slides to talk
to you about the future,
but I hope that drives home that
this is a very real issue for real people.
M: So, pacemakers are evolving and
they are getting smaller
and this is the type of pacemaker
that you can actually implant
inside the heart.
So, the pacemaker I have today
is outside the heart and it has
leads that are wired to my heart.
But in future they are getting
smaller and more sophisticated and
I think this is exciting!
I think that a lot of you,
also in the audience will
benefit from having this type of
technology when you grow older
and we can have longer lives and
we can live more healthier lives
because of the technology
E: And keep in mind, right?
Some of you may already have devices
and already have this issues,
but others of you will think 'Ah, that
won't happen to me for quite a long time'
But it can be a sudden thing, that,
you know, you don't necessarily
have a choice to run code
inside your body.
Which OS do you wanna implant?
laughing
You wanna tell them about the..
M: This is also a quite exciting
maybe future type of implants
that you can have.
So, this is actually a cardiac sock,
it's 3D-printed and it's making
a rabbit's heart beat outside
the body of the rabbit.
So, there's a lot of technology
and sensors and things that
are going to be implanted
in our bodies
and I think more of you will become
cyborgs like me in the future
E: And there's a lot of work
that you could be doing.
You know, 3D-printing
this devices,
and open sourcing as much
of this as possible.
There's a lot to say here, right?
I think it's time to address
the really scary issue.
The informed consent issue
around patching, right?
Remember earlier we were
talking about the programmers
and we pointed out that there
were firmware blobs in there
and that these people,
you know, your doctor or nurse
could upgrade the code
running on your medical implant.
Now, is there a legal requirement
for them to inform you,
before they alter the code
that's running inside your body?
As far as we can tell
- and we need to look at a lot of
different countries at the same time,
so we gonna ask you to help us -
as far as we can tell there are not
laws requiring your doctor
to tell you that they are upgrading
the firmware in your device.
M: Yeah, think about that laughs
It's a quite scary thing.
I want to know what's happening
to my implant, the code,
if someone wants to alter the code
inside my body, I would like to know
and I would like to make
an informed decision on that
and give my consent
before it happens.
E: You might even choose a device
where that's possible or not possible
because you're making a risk-based
decision and you're an informed consumer
but how do we help people,
who don't wanna understand
software and firmware and upgrades
make those decisions in the future as well.
Alright.
M: So now, if we're going to go through
all this, but there's a lot of reasons
why we're in the situations of having
insecure medical devices.
There's a lot of legacy technology because
there's a long lifetime of this devices
and it takes a long time
to get them on the market.
And they can be patched,
but in some cases
they are not patched or there are
no software updates applied to them.
We don't have any third party
security testing of the devices,
and that's really needed in my opinion.
E: Right, an underwriters laboratory
or consumer laboratory that's there
to check some of these details.
And I don't think that's unreasonable,
right? That sort of approach.
M: And there's a lack of regulations,
also. So there's a lot of things
that should be worked on.
E: So, there's a lot of
ways to solve this
and we're not gonna give you
the answer, because we're not
geniuses, so we're
gonna say that
these are some different
approaches that we see all
playing in a solution space.
So, vendor awareness is
obviously important, but
that's not the only thing.
A lot of the vendors have been
very supportive and
very open to discussion,
of transparency, that needs to
happen more in the future, right?
Security risk monitoring,
I've been working in the field
of cyber insurance, which I'm sure
sounds like insanity to the rest of you,
and it is, there are bad days.
But that could play a part
in this risk equation in the future.
What about medical incidence response,
right? Or medical device forensics.
M: If I suddenly drop dead
I really would like to have
a forensic analysis
of my pacemaker, to ...
E: Please remember that, all of you!
Like, if anything is going to happen
to Marie... everyone asked that, right?
Like, 'Aren't you afraid of giving this talk?'
And we thought about it,
we talked about it a lot and
she's got a lot of support
from her husband and her son
and her family and a bunch of us.
If anything happens to this woman
I hope that we will all be doing
forensic analysis
of everything.
applause
Cool. So, we'll say a little bit about
'I Am The Cavalry' and social contract
and then we'll wrap it up, okay?
So, 'I Am The Cavalry' does
a lot of grassroots research
and support and lobbying and
tries to articulate these messages.
They have a medical implant
arm that has a bunch of
different researchers doing
this kind of stuff.
Do you wanna say more about them?
M: Yeah, so we are both
part of the Cavalry,
because no one is coming
to save us from the future
of being more depended on
trusting our lives on machines
so, that's why we need to step up
and do the research and
encourage and inspire the research.
So, that's why I joined
'I Am The Cavalry'
and I think it's a
good thing to have
a collaboration effort between
researchers, between the vendors
and the regulators, as they are,
or we are working with.
E: We also think that even if you
don't do reverse engineering
or you're not interested in
security details or the opcodes
that are inside the firmwares
or whatever,
this question is a question that
any of you here can talk about
for the rest of the congress and
going forward into the future.
Right?
This is Marie's, so go ahead.
M: Yeah, so, I really want to know
what code is running inside my body.
And I want to know ...
or I want to have a social contract
with my medical doctors and
my physician that is giving me
this implants.
It needs to be based on a
patient-to-doctor trust relationship.
And also between
me and the vendors.
So I really want to know that
I can trust this machine inside...
E: And we think many of you will
be facing similar questions
to these in the future.
I have questions.
Some of my questions are serious,
some of my questions are
not serious, like this one:
Is the code on your dress
from your pacemaker?
M: No, actually it's from the
computer game 'Doom'.
But ...
laughter
once I have the laughing
code of my pacemaker
I'm going to make a custom-
ordered dress and get it...
E: Which is pretty cool, right?
M: ... get it with my own code.
applause
So, let's wrap up with... what we
want to have of future research.
So, we encourage more research,
and these are some things that
could be looked into.
Like open source medical devices,
that doesn't really exist,
at least not for pacemakers.
But I think that's one way
of going forward.
E: I think it's also an opportunity
for us to mention a really scary idea,
which is, you know, should anyone
have a golden key to Marie's heart,
should there be backdoored
encryption inside of her heart?
We think no laughing
but that...
M: I don't see any reason why
the NSA should be able to
have a back door to my heart,
do you?
E: You would be an extremist,
that's why you don't want them
to have a back door to your heart.
But this is a serious question, right?
If you start backdooring
any kind of crypto anywhere,
how do you know,
where it's gonna end up.
It might end up in medical devices
and we think that's unacceptable.
applause
M: And we should also mention
that we're not doing this alone,
we have other researchers
helping us forward doing this.
Angel: So, thank you very much
for this thrilling talk,
we're now doing a little
Q&A for 10 min,
and for the Q&A please keep in mind
to respect Marie's privacy, so
don't ask for details about
the implant or
something like that.
E: Yeah, the brands and stuff.
We're gonna tell you, what OS
she's running.
Angel: People, who are now leaving
the room, they will not be able
to come back in, because
of measures laughing
laughter
So, let's start with the Q&A!
Let's start with this microphone there.
Q: Hi, first of all thank you very much
for a very fascinating talk.
I'm not going to ask you
about specific vendors.
However, I thought it was very
interesting what you said, that
most vendors were really supportive
I would like to know whether
there have been
exceptions to that rule,
not who it was or anything like that
but what kind of arguments
you may have heard from vendors
e. g. have they referred to anything
such as trade secrets or copyright
or any other legal reasons
why not to give you,
or not to give public access
to information about devices?
Thank you.
E: So, we haven't had any legal
issues so far in this research.
And in general they haven't been
concerned about copyright.
I think they're more concerned
about press, bad press,
and a hype, you know, what
they would see as hype.
they don't wanna see us scaring
people away from these things
with, you know, these stories.
M: Yeah, that's also something
I'm concerned of, of course,
as a patient. I don't want to
scare my fellow patients
from having life-critical
implants in their body.
Because a lot of people need
them, like me, to survive.
So, the benefit clearly
outweighs the risk in my case.
E: But that seems to be their
main concern, like, you know,
'Don't give us too
much bad press'
Angel: Ok, next question
from over there.
Q: Hello. I wanted to ask you, if you
know about any existing initiatives
on open sourcing
the medical devices,
on mandating the open sourcing
of the software and firmware
through the legal system,
in European Union, in United States
because I think I've read
about such initiatives
about 1 year ago or so,
but it was just a glimpse.
M: So, there are some patients
that have reverse engineered their
no audio
(insu)lin pumps. I know, that
there are groups of patients
like the parents of children
with insulin pumps.
They have created
software to be able...
to have an app on their
mobile phone to be able
to monitor their child's
blood sugar levels.
So that's one way of
doing this open source
and I think that's great.
Q: But nothing
in the legal systems,
no initiatives to mandate this,
e.g. on European level?
E: Not so far that we've seen,
but that's something that
can be discussed now, right?
M: I think it's really interesting,
you could look into the legal
aspects and the regulations
around this, yeah.
Q: Thank you.
Angel: Ok, can we have
a question from the internet?
Q: Yes, from the IRC someone asks:
'Does your pacemaker
have a biofeedback,
so in case something bad
happens it starts to defibrillate?
M: No, I don't have an ICD,
so in my case I'm not getting a shock
in case my heart stops.
Because I have a different condition
I only need to have
my rhythm corrected.
But there are other
types of conditions,
that require pacemakers
that can deliver shocks.
Angel: Ok, one question
from that microphone there.
Q: Thank you very much.
At one point you mentioned
that the connectivity in you
pacemaker is off. For now.
And, is that something, that patients
are asked during the process,
or is that something,
patients have to require?
And generally: What role
do you see for the choice
not to have any connectivity
or any security for that matter,
that technology would
make available to you?
So, how do you see the possibility
to choose a more risky life
in terms of trading in
for privacy, whatever?
M: Yeah, I think that's
really a relevant question.
As we mentioned
in the social contract,
I really would like, that the doctors
informed patients about
their different wireless interfaces
and that there's an informed decision
whether or not to switch it on.
So, in my case, I don't
have it switched on and ...
I don't need it, so there's no reason
why I need to have it switched on.
But then, again, why did I get
an implant that has this capability?
I should have had the option of
opting out of it, but I didn't get that.
They didn't ask me, or they
didn't inform me of that,
before I got the implant.
It was chosen for me.
And at that time I hadn't looked
into the security of medical devices,
and I needed to
have the implant,
so I couldn't really make
an informed decision.
A lot of patients that are,
like, older and not so...
that don't really understand
the technology,
they can't make that
informed decision, like I can.
So, it's really a
complex issue
and something that we
need to discuss more.
Angel: Ok, another
question from there.
Q: Yeah, thanks.
As a hacker, connected personally
and professionally
to the medical world:
How can I educate doctors,
nurses, medical people
about the security risks presented
by connected medical devices?
What can I tell them?
Do you have something
from your own experience
I could somehow ...
M: Yeah, so, the issue of
software bugs in the devices
I think is a real scenario
that can happen and ...
E: Yeah, if you can repeat
that story of debugging her,
like, I think, that makes the point.
And then try in adopt that
hygiene-metaphor that we
had before, where, you know,
people didn't believe in germs,
and these problems before,
we're in that sort of era,
and we're still figuring out
what the scope of potential
security and privacy problems are
for medical devices.
In the meantime
please be open to new research
on this subject, right?
And that story is
a fantastic illustration,
that we don't need evil hacker
typer, you know, bond villain,
we just need failure to debug
programming station, properly, right?
Q: Thank you very much.
Angel: Ok, another question
from the internet.
Q: Yes, from the IRC:
'20 years ago it was common,
that a magnet had to be placed
on the patients chest to activate the
pacemakers remote configuration interface.
Is that no longer the case today?'
E: It's still the case with some devices,
but not with all of them I think.
M: Yeah, it varies between the devices,
how they are programmed and
how long distance you
can be from the device.
Q: Thank you for the talk.
I've some medical devices
in myself to, an insulin pump and
sensors to measure the blood sugar levels,
I'm busy with hacking that and
to write the software for myself,
because the *** doesn't
have the software.
Have you ever think about it, to write
your own software for your pacemaker?
E: laughing
M: laughing
M: No, I haven't thought about
that until now. No. laughing
E: Fantastic, I think that deserves
a round of applause, though,
because that's exactly
what we're talking about.
applause
Angel: Another question
from there.
Q: First off, I want to say thank you
that you gave this talk, because
once it's quite interesting,
but it's not that talk,
anyone of that is effected could hold,
so, it takes quiet some courage and
I want to say thank you. So
applause
Secondly, thank you for giving me the
update. I started medical technology but
I finished ten years ago and I didn't work
in the area and it's quiet interesting to
see what happened in the meantime, but
now for my actual question:
You said you got devices on ebay, is it
possible to get the hole
communication chain?
So you can make a sandbox test or ..
M: Yes it's possible to get devices,
it's not so easy to get the pacemaker
itself , it's quite expensive.
E: And even when we get one,
we have some paring issues and like
Marie can't be in the same room , when
we were doing a curtain types of testing
and right, so that last piece is difficult
but the rest of the chain is pretty
available for the research.
Q: Ok, thank you.
Angel: So, time is running out, so we,
only time left for one question and from
there please.
Q: Thank you. I'm also involved in
software quality checks and software qs
here in Germany also
with medical developments
and as far as I know, it is the most
restricted area of developing products
I think in the world,
it's just easier to manipulate software
in a car X-source system or breaking guard
or something like this, where you don't
have to show any testing certificate or
something like this, the FDA is a very
high regulation part there.
Do you have the feeling that it's a
general issue that patients do not have
access to these FDA compliant tests and
software q-a-systems?
M: Yeah, I think that we should have
more openness and more transparency
about, around this issues , really.
E: I mean, it's fantastic you do quality
assurance, i used to be in quality assurance
at a large cooperation and I got tiered
and landed in strategy and pen testing and
then I just thought of myself as paramilitary
quality assurence , ..
now I just do it on ever I wanne test, so
thank you for doing q-a and keep doing it
and hopefull you don't have to many regulations
but companies sharing more of this
information, its really the transparency
and the discussion, the open dialogue
with patients and doctor and a vendor is
really what we wanna focus on and make
our final note ?
M: Yeah.
M: We see some problems already
the last year, the MI Undercover Group has
had some great progress on having good
discussions with the FDA and also involving
the medical device vendors in the discussions
about cyber security of medical devices
and implants. so thats great and I hope
that this will be even better the next year.
E: And I think you wanne to say
one more thing to congress before we leave
which is:
M: Hack to save lives!
applaus
♪ postroll music ♪
subtitles created by c3subtitles.de
Join, and help us!